Cisco has launched safety updates to patch two maximum-severity vulnerabilities in its Safe Firewall Administration Heart (FMC) software program.
Safe FMC is an online or SSH-based interface for admins to handle Cisco firewalls and configure utility management, intrusion prevention, URL filtering, and superior malware safety.
Each vulnerabilities might be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) permits attackers to realize root entry to the underlying working system, whereas the distant code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched gadgets.
“An attacker may exploit this vulnerability by sending crafted HTTP requests to an affected system. A profitable exploit may permit the attacker to execute a wide range of scripts and instructions that permit root entry to the system,” the CVE-2026-20079 advisory reads.
“An attacker may exploit this vulnerability by sending a crafted serialized Java object to the web-based administration interface of an affected system. A profitable exploit may permit the attacker to execute arbitrary code on the system and elevate privileges to root,” Cisco added about CVE-2026-20079.
Whereas they each have an effect on Cisco Safe FMC Software program, CVE-2026-20131 additionally impacts Cisco Safety Cloud Management (SCC) Firewall Administration, a cloud-based safety coverage supervisor that simplifies coverage throughout Cisco firewalls and different gadgets.
For the time being, the corporate’s Product Safety Incident Response Group (PSIRT) has no proof that the 2 safety flaws are exploited in assaults or that proof-of-concept (PoC) exploit code has been printed on-line.
At this time, Cisco has additionally patched dozens of different safety vulnerabilities, together with 15 high-severity safety flaws in Safe FMC, Safe Firewall Adaptive Safety Equipment, and Safe Firewall Menace Protection software program.
In August, Cisco mounted one other maximum-severity Safe FMC flaw, warning that it permits unauthenticated distant attackers to inject arbitrary shell instructions which are executed on unpatched gadgets.
Extra not too long ago, in January, it launched patches for a maximum-severity Cisco AsyncOS zero-day that has been exploited in assaults in opposition to safe electronic mail home equipment since November and addressed a crucial Unified Communications RCE that was additionally utilized in zero-day assaults.
Final month, it additionally patched a maximum-severity Catalyst SD-WAN authentication bypass flaw that was abused as a zero-day, permitting distant attackers to compromise controllers and add malicious rogue friends to focused networks.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
